Featured image from Pixabay and chart from TradingView.com
Bad Actors Penetrate Bitcoin Backed DeFi Protocol And Steal $1 Million
Recently, Sovryn, a Bitcoin-based DeFi protocol, lost $1 million in digital assets through a hack. The hacker executed the attack through price manipulation and carted away $1 million in crypto, including 44.93 RBTC and 211,045 USDT.
The incessant hack attacks on crypto platforms have become a plague in the crypto industry, leaving questions of who would be next. The series of hacks has left the crypto ecosystem on edge.
Sovryn commented on the news in a blog post, saying the attackers targeted the legacy Sovryn Borrow/Lend protocol. The action affected the RBTC and USDT lending pools.
Sovryn protocol runs on Rootstock (RSK). RBTC is a Bitcoin-pegged crypto asset, while USDT is a dollar-pegged stablecoin. Both RSDT and USDT circulate on Rootstock. Rootstock is a side-chain of Bitcoin that enabled the expansion of Smart contracts, DApp, and increased scalability.
During the Sovryn attack, funds were withdrawn with Sovryn’s swap functions, leading to the removal of many tokens. But Sovryn is trying to recover the fund. Sovryn spokesperson Edan Yago said developers took a multi-layered security approach and recovered half of the funds before the withdrawal.
Sovryn’s Hacker Manipulated The iToken Prices
Edan said the attack marks the first successful attack against Sovryn in its two years of operation. He further said Sovryn is the most extensively audited DeFi Protocol, with active and valuable bug bounty systems.
Sovryn explained that the hack worked through Sovryn’s interest-bearing token (iToken) prices. The iTokens are interest-bearing tokens that users hold in lending pools. Interest-bearing tokens’ prices are updated anytime interaction with a lending pool occurs.
The Sovryn’s attacker used flash swaps in RsKSwap to buy wrapped RBTC. He borrowed more wrapped-RBTC from Sovryn’s lending contract with his XUSD as collateral. He redeemed the funds by burning iRBTC (interest-bearing RBTC) and sent the wrapped RBTC back to RskSwap to complete the flash swap.
The process altered and manipulated the iRBTC price and allowed the attacker to withdraw more RBTC from the lending pool than the initial deposit.
Sovryn confirmed that users’ funds were not affected during the exploit, and the Exchequer would replace any lost value. The Exchequer is Sovryn’s treasury.
Other DeFi Hack Exploits In 2022
The DeFi ecosystem has suffered multiple hack attacks in 2022. The blockchain security firm PeckShield revealed that hackers stole over $2.32 billion in over 135 exploits from the DeFi ecosystem this year.
Some top DeFi hacks in 2022 include the Ronin Network hack, which constituted a $620 million loss on March 23. On February 2, Wormhole Bridge attack also caused a loss of $320 million. Finally, Nomad Bridge got hacked on August 2, and the attackers stole $190 million worth of cryptocurrency.
The list goes on and on, with more than ten recorded hack attacks in 2022 alone. For example, the Beanstalk Farm exploit caused a loss of $182 million in crypto, and the Wintermute hack with a loss of $160 million in digital assets.